How to Use the Critical System Protection Application Control Policy
Updated On:10-11-2011 14:07
Critical System Protection
This document describes how to use the Application Control Policy in Symantec Critical System Protection (SCSP). This will take you through how to make a Behavior Control Description for Notepad.exe and copy it to a currently installed IPS policy
The Application Control Policy is not actually meant to be applied to any agent machine -- its purpose is for organizational purposes only. You use this policy to set up behavior controls for custom applications that are not included in the policies that ship with the product.
Once the applications are set up, you can copy each application (as necessary) and paste it into a policy that will be applied to the agent machines (like the Windows Core or Windows Strict policies).
The application control policy is basically a placeholder policy that allows you to make a ruleset once for an application and then reuse that ruleset in various other policies, avoiding the need to recreate the ruleset every time you make a new IPS policy. Again, the application control policy is not designed to be applied to an agent machine.
Here is how you use the Application Control (AC) policy. For learning purposes, we will be using notepad.exe and controlling its behavior with this policy.
Go to the target (agent) Windows machine, and create a folder off the C drive called c:\test\
Inside the test folder of the target (agent) add these three files: "notepadtest.txt" "notepad_readonly.txt" and "notepad_noaccess.txt"
Open up a new copy (not an edited version) of the AC policy. If necessary, hit the "Create Default Policies" icon above the policies to generate an out-of-the-box policy that has not been edited.
Once open, do not change anything, and go the "My Custom Programs" section, on the bottom of the tree on the left.
On the right hand side, hit "New"
Type in a display name "Notepad"
Cloose "This program is interactive" in the pull-down menu.
In the Identifier field, create an identifier that does not have any spaces. Use "notepad_exe"
Enter a description if you want
Drill down to the Settings under the "Notepad" custom program. This will bring up the setting tree on the right hand side.
Check the "Specify Interactive Programs with Custom privileges". This must be checked.
Highlight the "List of customer interactive programs" and then click the Add button below
Enter the path to notepad. You can use "c:\windows\system32\notepad.exe" or "%systemroot%\system32\notepad.exe". The benefit to using the %systemroot% is that if you install windows to different drives on different machines, %sytemroot% will always go to the Windows directory, no matter where it is.
Leave everything else blank but the rule name. The rule name will be used for reporting purposes in the console, so you can call this "notepad_exe_behavior_control" or something of the sort. Note, no spaces. You could also set this to only be in effect when a particular user or group (active directory group) is logged on by filling in the proper fields. Arguments pertain to any switches that are run, usually from a command line or programatically.
Go to Resource Lists, expand Writable Resource Lists
Check the "Allow but log modifications to these files" box, and click the "list of files that can be modified".
Hit the add button and add c:\test\notepadtest.exe to the resource path. Call this rule "notepad_allow". Hit ok.
Next, expand "Read-only Resource Lists, check "Block Modifications to these files" and add "c:\test\notepad_readonly.txt" to the resource path under "list of files that should not be modified", and call this rule "notepad_readonly"
Next, do the same for the No-Access resource list, adding "notepad_noaccess.txt" to the resouce path under "Block all access to these files"
Hit apply at the bottom right. I suggest to always select "Update Revision to . . ." to increment the revision. This will become important later when you have a lot of policies and you need to troubleshoot. A good admin will also put a small description of what was changed, in case someone else needs to see what changed at a later date.
Now it is time to copy the Behavior Control Description (BCD) that you just created and add it to the Windows Core Policy. You can add this to any Windows based policy, but we will add this to the Windows Core Policy today.
Select the "My Custom Programs" from the tree on the left.
On the right pane, select the "Notepad"
Click the "Copy to Other Policy" button
On the Copy Policy Options Wizard window, hit Next
Select the target policy you went to add the Notepad BCD to. For this demonstration, choose sym_win_protection_core.sbp
Hit next, and select "Take the new option settings"
You have now added the Notepad BCD to the Windows Core Policy. Hit OK to save the Application Control Policy and get back to the main screen.
Now, select the sym_win_protection_core_sbp in the Workspace > Symantec folder (under the Prevention tab), right click it and apply the policy to your test machine.
Go to the Assets section on the left. Wait until the Rad flag goes away on the asset that you applied the policy to (the red flag means that the policy is in the process of being applied).
Once the red flag goes away, go to your test machine and open up (double click) c:\test\notepadtest.exe. Type something in and save it. (Note this is assuming that notepad.exe is associated with .txt files, which it is by default in Windows. If notepad is not the default program for .txt files, then open the files from within notepad.)
Next, do the same for c:\test\notepad_readonly.txt. Note that when you try to save, you cannot.
Then, do the same for c:\test\notepad_noaccess.txt. Note that you cannot open it.
Now, open c:\test\notepad_noaccess.txt using WordPad instead of Notepad. Note that you are able to access it and save to it, because you are not using Notepad.
What this excercise does is show you how you use the Application Control Policy to define specific behaviors for a particular application. Because you have already done most of the work, you never have to re-create the BCD rules -- the Application Control Policy is like a library -- you can always go back and copy the BCD to another IPS policy.
Note that we only touched on the Resource Lists (Read/Write/Access) portion of the BCD. There are also settings for Network Controls(Addresses/Ports), SysCall Options (Mount filesystems, create hardlinks) and the logging of other Processes that are spawned by the Application (like if the program called the Print Spooler to print something).